CVE-2020-10095
Published: 19 February 2025
Summary
CVE-2020-10095 is a high-severity CSRF (CWE-352) vulnerability in Lexmark (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-10095 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting various Lexmark devices. Published on 2025-02-19, it enables an attacker to modify the configuration of the device. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts.
A remote attacker requires no privileges and can exploit the issue over the network with low attack complexity, though it necessitates user interaction, such as clicking a malicious link. Successful exploitation allows the attacker to alter device configurations, compromising integrity (high impact) and potentially disrupting availability (high impact), while confidentiality remains unaffected.
Lexmark provides mitigation guidance through its security advisories, accessible at http://support.lexmark.com/alerts/ and https://www.lexmark.com/en_us/solutions/security//lexmark-security-advisories.html. Security practitioners should consult these resources for patching instructions and configuration hardening recommendations specific to affected devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2560
Vulnerability details
Various Lexmark devices have CSRF that allows an attacker to modify the configuration of the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF on public-facing device web interface directly enables remote config modification via malicious link (T1190 + T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against CSRF vulnerabilities like CVE-2020-10095 by ensuring the authenticity of communications sessions through mechanisms such as anti-CSRF tokens.
Remediates the specific CSRF flaw in Lexmark devices by identifying, prioritizing, and applying vendor patches or updates as provided in Lexmark security advisories.
Validates web inputs on Lexmark devices to detect and block unauthorized configuration modification requests lacking proper CSRF protections.